Description

The cURL project reports in a security advisory :

Using the affected libcurl version to download compressed content over HTTP, an application can ask libcurl to automatically uncompress data.
When doing so, libcurl can wrongly send data up to 64K in size to the callback which thus is much larger than the documented maximum size.

An application that blindly trusts libcurl's max limit for a fixed buffer size or similar is then a possible target for a buffer overflow vulnerability.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2013 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
# copyright notice, this list of conditions and the following
# disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
# published online in any format, converted to PDF, PostScript,
# RTF and other formats) must reproduce the above copyright
# notice, this list of conditions and the following disclaimer
# in the documentation and/or other materials provided with the
# distribution.
#
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
include("compat.inc");
if (description)
{
script_id(45574);
script_version("$Revision: 1.7 $");
script_cvs_date("$Date: 2013/06/22 00:10:42 $");
script_cve_id("CVE-2010-0734");
script_xref(name:"DSA", value:"2023");
script_name(english:"FreeBSD : curl -- libcurl buffer overflow vulnerability (c8c31c41-49ed-11df-83fb-0015587e2cc1)");
script_summary(english:"Checks for updated package in pkg_info output");
script_set_attribute(
attribute:"synopsis",
value:"The remote FreeBSD host is missing a security-related update."
);
script_set_attribute(
attribute:"description",
value:
"The cURL project reports in a security advisory :
Using the affected libcurl version to download compressed content over
HTTP, an application can ask libcurl to automatically uncompress data.
When doing so, libcurl can wrongly send data up to 64K in size to the
callback which thus is much larger than the documented maximum size.
An application that blindly trusts libcurl's max limit for a fixed
buffer size or similar is then a possible target for a buffer overflow
vulnerability."
);
script_set_attribute(
attribute:"see_also",
value:"http://curl.haxx.se/docs/adv_20100209.html"
);
script_set_attribute(
attribute:"see_also",
value:"http://www.openwall.com/lists/oss-security/2010/02/09/5"
);
# http://www.freebsd.org/ports/portaudit/c8c31c41-49ed-11df-83fb-0015587e2cc1.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?e60e9422"
);
script_set_attribute(attribute:"solution", value:"Update the affected package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:curl");
script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
script_set_attribute(attribute:"vuln_publication_date", value:"2010/02/09");
script_set_attribute(attribute:"patch_publication_date", value:"2010/04/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/04/20");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2010-2013 Tenable Network Security, Inc.");
script_family(english:"FreeBSD Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
exit(0);
}
include("audit.inc");
include("freebsd_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (pkg_test(save_report:TRUE, pkg:"curl&gt;=7.10.5&lt;7.20.0")) flag++;
if (flag)
{
if (report_verbosity &gt; 0) security_warning(port:0, extra:pkg_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2017

{"result": {"cve": [{"id": "CVE-2010-0734", "type": "cve", "title": "CVE-2010-0734", "description": "content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.", "published": "2010-03-19T15:30:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0734", "cvelist": ["CVE-2010-0734"], "lastseen": "2018-01-05T12:20:00"}], "nessus": [{"id": "ORACLELINUX_ELSA-2010-0329.NASL", "type": "nessus", "title": "Oracle Linux 3 / 4 : curl (ELSA-2010-0329)", "description": "From Red Hat Security Advisory 2010:0329 :\n\nUpdated curl packages that fix one security issue are now available for Red Hat Enterprise Linux 3 and 4.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\ncURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and DICT servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity.\n\nWesley Miaw discovered that when deflate compression was used, libcurl could call the registered write callback function with data exceeding the documented limit. A malicious server could use this flaw to crash an application using libcurl or, potentially, execute arbitrary code.\nNote: This issue only affected applications using libcurl that rely on the documented data size limit, and that copy the data to the insufficiently sized buffer. (CVE-2010-0734)\n\nUsers of curl should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libcurl must be restarted for the update to take effect.", "published": "2013-07-12T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68025", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-10-29T13:40:13"}, {"id": "FEDORA_2010-2720.NASL", "type": "nessus", "title": "Fedora 11 : curl-7.19.7-5.fc11 (2010-2720)", "description": "http://curl.haxx.se/docs/adv_20100209.html\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2010-07-01T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=47292", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-10-29T13:43:44"}, {"id": "DEBIAN_DSA-2023.NASL", "type": "nessus", "title": "Debian DSA-2023-1 : curl - buffer overflow", "description": "Wesley Miaw discovered that libcurl, a multi-protocol file transfer library, is prone to a buffer overflow via the callback function when an application relies on libcurl to automatically uncompress data.\nNote that this only affects applications that trust libcurl's maximum limit for a fixed buffer size and do not perform any sanity checks themselves.", "published": "2010-03-29T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=45369", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-10-29T13:43:21"}, {"id": "MANDRIVA_MDVSA-2010-062.NASL", "type": "nessus", "title": "Mandriva Linux Security Advisory : curl (MDVSA-2010:062)", "description": "A vulnerability has been found and corrected in curl :\n\ncontent_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit (CVE-2010-0734).\n\nPackages for 2008.0 are provided for Corporate Desktop 2008.0 customers.\n\nThe updated packages have been patched to correct theis issue.", "published": "2010-03-22T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=45115", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-10-29T13:36:38"}, {"id": "SL_20100330_CURL_ON_SL3_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : curl on SL3.x i386/x86_64", "description": "Wesley Miaw discovered that when deflate compression was used, libcurl could call the registered write callback function with data exceeding the documented limit. A malicious server could use this flaw to crash an application using libcurl or, potentially, execute arbitrary code.\nNote: This issue only affected applications using libcurl that rely on the documented data size limit, and that copy the data to the insufficiently sized buffer. (CVE-2010-0734)\n\nAll running applications using libcurl must be restarted for the update to take effect.", "published": "2012-08-01T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=60763", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-10-29T13:43:34"}, {"id": "SL_20100330_CURL_ON_SL4_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : curl on SL4.x i386/x86_64", "description": "Wesley Miaw discovered that when deflate compression was used, libcurl could call the registered write callback function with data exceeding the documented limit. A malicious server could use this flaw to crash an application using libcurl or, potentially, execute arbitrary code.\nNote: This issue only affected applications using libcurl that rely on the documented data size limit, and that copy the data to the insufficiently sized buffer. (CVE-2010-0734)\n\nAll running applications using libcurl must be restarted for the update to take effect.\n\nNote: This package for SL4 has to be renamed due to previous poor naming of rpms.", "published": "2012-08-01T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=60764", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-10-29T13:36:36"}, {"id": "FEDORA_2010-2762.NASL", "type": "nessus", "title": "Fedora 12 : curl-7.19.7-7.fc12 (2010-2762)", "description": "http://curl.haxx.se/docs/adv_20100209.html\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2010-07-01T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=47295", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-10-29T13:46:00"}, {"id": "REDHAT-RHSA-2010-0273.NASL", "type": "nessus", "title": "RHEL 5 : curl (RHSA-2010:0273)", "description": "Updated curl packages that fix one security issue, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\ncURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and DICT servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity.\n\nWesley Miaw discovered that when deflate compression was used, libcurl could call the registered write callback function with data exceeding the documented limit. A malicious server could use this flaw to crash an application using libcurl or, potentially, execute arbitrary code.\nNote: This issue only affected applications using libcurl that rely on the documented data size limit, and that copy the data to the insufficiently sized buffer. (CVE-2010-0734)\n\nThis update also fixes the following bugs :\n\n* when using curl to upload a file, if the connection was broken or reset by the server during the transfer, curl immediately started using 100% CPU and failed to acknowledge that the transfer had failed.\nWith this update, curl displays an appropriate error message and exits when an upload fails mid-transfer due to a broken or reset connection.\n(BZ#479967)\n\n* libcurl experienced a segmentation fault when attempting to reuse a connection after performing GSS-negotiate authentication, which in turn caused the curl program to crash. This update fixes this bug so that reused connections are able to be successfully established even after GSS-negotiate authentication has been performed. (BZ#517199)\n\nAs well, this update adds the following enhancements :\n\n* curl now supports loading Certificate Revocation Lists (CRLs) from a Privacy Enhanced Mail (PEM) file. When curl attempts to access sites that have had their certificate revoked in a CRL, curl refuses access to those sites. (BZ#532069)\n\n* the curl(1) manual page has been updated to clarify that the '--socks4' and '--socks5' options do not work with the IPv6, FTPS, or LDAP protocols. (BZ#473128)\n\n* the curl utility's program help, which is accessed by running 'curl\n-h', has been updated with descriptions for the '--ftp-account' and '--ftp-alternative-to-user' options. (BZ#517084)\n\nUsers of curl should upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.\nAll running applications using libcurl must be restarted for the update to take effect.", "published": "2010-05-11T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=46288", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-10-29T13:41:15"}, {"id": "REDHAT-RHSA-2010-0329.NASL", "type": "nessus", "title": "RHEL 3 / 4 : curl (RHSA-2010:0329)", "description": "Updated curl packages that fix one security issue are now available for Red Hat Enterprise Linux 3 and 4.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\ncURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and DICT servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity.\n\nWesley Miaw discovered that when deflate compression was used, libcurl could call the registered write callback function with data exceeding the documented limit. A malicious server could use this flaw to crash an application using libcurl or, potentially, execute arbitrary code.\nNote: This issue only affected applications using libcurl that rely on the documented data size limit, and that copy the data to the insufficiently sized buffer. (CVE-2010-0734)\n\nUsers of curl should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libcurl must be restarted for the update to take effect.", "published": "2010-05-11T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=46290", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-10-29T13:41:30"}, {"id": "CENTOS_RHSA-2010-0329.NASL", "type": "nessus", "title": "CentOS 3 / 4 : curl (CESA-2010:0329)", "description": "Updated curl packages that fix one security issue are now available for Red Hat Enterprise Linux 3 and 4.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\ncURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and DICT servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity.\n\nWesley Miaw discovered that when deflate compression was used, libcurl could call the registered write callback function with data exceeding the documented limit. A malicious server could use this flaw to crash an application using libcurl or, potentially, execute arbitrary code.\nNote: This issue only affected applications using libcurl that rely on the documented data size limit, and that copy the data to the insufficiently sized buffer. (CVE-2010-0734)\n\nUsers of curl should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libcurl must be restarted for the update to take effect.", "published": "2010-04-09T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=45442", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-10-29T13:43:45"}], "openvas": [{"id": "OPENVAS:1361412562310861773", "type": "openvas", "title": "Fedora Update for curl FEDORA-2010-2762", "description": "Check for the Version of curl", "published": "2010-03-12T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310861773", "cvelist": ["CVE-2010-0734"], "lastseen": "2018-01-08T12:53:44"}, {"id": "OPENVAS:136141256231067287", "type": "openvas", "title": "FreeBSD Ports: curl", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2010-04-21T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231067287", "cvelist": ["CVE-2010-0734"], "lastseen": "2018-01-11T11:04:49"}, {"id": "OPENVAS:830888", "type": "openvas", "title": "Mandriva Update for drakxtools MDVA-2010:062-1 (drakxtools)", "description": "Check for the Version of drakxtools", "published": "2010-02-19T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=830888", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-12-14T11:48:50"}, {"id": "OPENVAS:67208", "type": "openvas", "title": "Debian Security Advisory DSA 2023-1 (curl)", "description": "The remote host is missing an update to curl\nannounced via advisory DSA 2023-1.", "published": "2010-04-06T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=67208", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-07-24T12:49:23"}, {"id": "OPENVAS:830877", "type": "openvas", "title": "Mandriva Update for drakxtools MDVA-2010:062 (drakxtools)", "description": "Check for the Version of drakxtools", "published": "2010-02-19T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=830877", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-12-21T11:33:07"}, {"id": "OPENVAS:880390", "type": "openvas", "title": "CentOS Update for curl CESA-2010:0329 centos4 i386", "description": "Check for the Version of curl", "published": "2010-04-09T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=880390", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-12-20T13:18:42"}, {"id": "OPENVAS:136141256231067208", "type": "openvas", "title": "Debian Security Advisory DSA 2023-1 (curl)", "description": "The remote host is missing an update to curl\nannounced via advisory DSA 2023-1.", "published": "2010-04-06T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231067208", "cvelist": ["CVE-2010-0734"], "lastseen": "2018-01-23T13:05:50"}, {"id": "OPENVAS:1361412562310830877", "type": "openvas", "title": "Mandriva Update for drakxtools MDVA-2010:062 (drakxtools)", "description": "Check for the Version of drakxtools", "published": "2010-02-19T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310830877", "cvelist": ["CVE-2010-0734"], "lastseen": "2018-01-18T11:05:08"}, {"id": "OPENVAS:1361412562310830888", "type": "openvas", "title": "Mandriva Update for drakxtools MDVA-2010:062-1 (drakxtools)", "description": "Check for the Version of drakxtools", "published": "2010-02-19T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310830888", "cvelist": ["CVE-2010-0734"], "lastseen": "2018-01-02T10:54:39"}, {"id": "OPENVAS:1361412562310870252", "type": "openvas", "title": "RedHat Update for curl RHSA-2010:0273-05", "description": "Check for the Version of curl", "published": "2010-04-06T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870252", "cvelist": ["CVE-2010-0734"], "lastseen": "2018-01-02T10:54:05"}], "redhat": [{"id": "RHSA-2010:0329", "type": "redhat", "title": "(RHSA-2010:0329) Moderate: curl security update", "description": "cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and DICT\nservers, using any of the supported protocols. cURL is designed to work\nwithout user interaction or any kind of interactivity.\n\nWesley Miaw discovered that when deflate compression was used, libcurl\ncould call the registered write callback function with data exceeding the\ndocumented limit. A malicious server could use this flaw to crash an\napplication using libcurl or, potentially, execute arbitrary code. Note:\nThis issue only affected applications using libcurl that rely on the\ndocumented data size limit, and that copy the data to the insufficiently\nsized buffer. (CVE-2010-0734)\n\nUsers of curl should upgrade to these updated packages, which contain a\nbackported patch to correct this issue. All running applications using\nlibcurl must be restarted for the update to take effect.", "published": "2010-03-30T04:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2010:0329", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-09-09T07:20:25"}, {"id": "RHSA-2010:0273", "type": "redhat", "title": "(RHSA-2010:0273) Moderate: curl security, bug fix and enhancement update", "description": "cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and DICT\nservers, using any of the supported protocols. cURL is designed to work\nwithout user interaction or any kind of interactivity.\n\nWesley Miaw discovered that when deflate compression was used, libcurl\ncould call the registered write callback function with data exceeding the\ndocumented limit. A malicious server could use this flaw to crash an\napplication using libcurl or, potentially, execute arbitrary code. Note:\nThis issue only affected applications using libcurl that rely on the\ndocumented data size limit, and that copy the data to the insufficiently\nsized buffer. (CVE-2010-0734)\n\nThis update also fixes the following bugs:\n\n* when using curl to upload a file, if the connection was broken or reset\nby the server during the transfer, curl immediately started using 100% CPU\nand failed to acknowledge that the transfer had failed. With this update,\ncurl displays an appropriate error message and exits when an upload fails\nmid-transfer due to a broken or reset connection. (BZ#479967)\n\n* libcurl experienced a segmentation fault when attempting to reuse a\nconnection after performing GSS-negotiate authentication, which in turn\ncaused the curl program to crash. This update fixes this bug so that reused\nconnections are able to be successfully established even after\nGSS-negotiate authentication has been performed. (BZ#517199)\n\nAs well, this update adds the following enhancements:\n\n* curl now supports loading Certificate Revocation Lists (CRLs) from a\nPrivacy Enhanced Mail (PEM) file. When curl attempts to access sites that\nhave had their certificate revoked in a CRL, curl refuses access to those\nsites. (BZ#532069)\n\n* the curl(1) manual page has been updated to clarify that the \"--socks4\"\nand \"--socks5\" options do not work with the IPv6, FTPS, or LDAP protocols.\n(BZ#473128)\n\n* the curl utility's program help, which is accessed by running \"curl -h\",\nhas been updated with descriptions for the \"--ftp-account\" and\n\"--ftp-alternative-to-user\" options. (BZ#517084)\n\nUsers of curl should upgrade to these updated packages, which contain\nbackported patches to correct these issues and add these enhancements. All\nrunning applications using libcurl must be restarted for the update to take\neffect.", "published": "2010-03-30T04:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2010:0273", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-09-09T07:19:16"}], "freebsd": [{"id": "C8C31C41-49ED-11DF-83FB-0015587E2CC1", "type": "freebsd", "title": "curl -- libcurl buffer overflow vulnerability", "description": "\nThe cURL project reports in a security advisory:\n\nUsing the affected libcurl version to download compressed\n\t content over HTTP, an application can ask libcurl to\n\t automatically uncompress data. When doing so, libcurl\n\t can wrongly send data up to 64K in size to the callback\n\t which thus is much larger than the documented maximum\n\t size.\nAn application that blindly trusts libcurl's max limit\n\t for a fixed buffer size or similar is then a possible\n\t target for a buffer overflow vulnerability.\n\n", "published": "2010-02-09T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/c8c31c41-49ed-11df-83fb-0015587e2cc1.html", "cvelist": ["CVE-2010-0734"], "lastseen": "2016-09-26T17:24:49"}], "oraclelinux": [{"id": "ELSA-2010-0329", "type": "oraclelinux", "title": "curl security update", "description": "[7.12.1-11.1.el4_8.3]\n- http://curl.haxx.se/docs/adv_20100209.html (#565406)", "published": "2010-03-30T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2010-0329.html", "cvelist": ["CVE-2010-0734"], "lastseen": "2016-09-04T11:15:58"}, {"id": "ELSA-2010-0273", "type": "oraclelinux", "title": "curl security, bug fix and enhancement update", "description": "[7.15.5-9]\n- http://curl.haxx.se/docs/adv_20100209.html (#565408)\n[7.15.5-8]\n- mention lack of IPv6, FTPS and LDAP support while using a socks proxy\n (#473128)\n- avoid tight loop if an upload connection is broken (#479967)\n- add options --ftp-account and --ftp-alternative-to-user to program help\n (#517084)\n- fix crash when reusing connection after negotiate-auth (#517199)\n- support for CRL loading from a PEM file (#532069)\n[7.15.5-7]\n- sync patch for CVE-2007-0037 with 5.3.Z\nRelated: #485290\n[7.15.5-6]\n- fix CVE-2009-2417\nResolves: #516258\n[7.15.5-5]\n- forwardport one hunk from upstream curl-7.15.1\nRelated: #485290\n[7.15.5-4]\n- fix hunk applied to wrong place due to nonzero patch fuzz\nRelated: #485290\n[7.15.5-3]\n- fix CVE-2007-0037\nResolves: #485290", "published": "2010-04-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2010-0273.html", "cvelist": ["CVE-2009-2417", "CVE-2010-0734", "CVE-2007-0037"], "lastseen": "2016-09-04T11:17:14"}], "debian": [{"id": "DSA-2023", "type": "debian", "title": "curl -- buffer overflow", "description": "Wesley Miaw discovered that libcurl, a multi-protocol file transfer library, is prone to a buffer overflow via the callback function when an application relies on libcurl to automatically uncompress data. Note that this only affects applications that trust libcurl's maximum limit for a fixed buffer size and do not perform any sanity checks themselves.\n\nFor the stable distribution (lenny), this problem has been fixed in version 7.18.2-8lenny4.\n\nDue to a problem with the archive software, we are unable to release all architectures simultaneously. Binaries for the hppa, ia64, mips, mipsel and s390 architectures will be provided once they are available.\n\nFor the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 7.20.0-1.\n\nWe recommend that you upgrade your curl packages.", "published": "2010-03-28T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-2023", "cvelist": ["CVE-2010-0734"], "lastseen": "2016-09-02T18:24:51"}], "centos": [{"id": "CESA-2010:0329", "type": "centos", "title": "curl security update", "description": "**CentOS Errata and Security Advisory** CESA-2010:0329\n\n\ncURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and DICT\nservers, using any of the supported protocols. cURL is designed to work\nwithout user interaction or any kind of interactivity.\n\nWesley Miaw discovered that when deflate compression was used, libcurl\ncould call the registered write callback function with data exceeding the\ndocumented limit. A malicious server could use this flaw to crash an\napplication using libcurl or, potentially, execute arbitrary code. Note:\nThis issue only affected applications using libcurl that rely on the\ndocumented data size limit, and that copy the data to the insufficiently\nsized buffer. (CVE-2010-0734)\n\nUsers of curl should upgrade to these updated packages, which contain a\nbackported patch to correct this issue. All running applications using\nlibcurl must be restarted for the update to take effect.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2010-April/016615.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-April/016616.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-April/016619.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-April/016620.html\n\n**Affected packages:**\ncurl\ncurl-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2010-0329.html", "published": "2010-04-06T21:45:29", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2010-April/016615.html", "cvelist": ["CVE-2010-0734"], "lastseen": "2017-10-12T14:45:22"}], "ubuntu": [{"id": "USN-1158-1", "type": "ubuntu", "title": "curl vulnerabilities", "description": "Richard Silverman discovered that when doing GSSAPI authentication, libcurl unconditionally performs credential delegation, handing the server a copy of the client\u2019s security credential. (CVE-2011-2192)\n\nWesley Miaw discovered that when zlib is enabled, libcurl does not properly restrict the amount of callback data sent to an application that requests automatic decompression. This might allow an attacker to cause a denial of service via an application crash or possibly execute arbitrary code with the privilege of the application. This issue only affected Ubuntu 8.04 LTS and Ubuntu 10.04 LTS. (CVE-2010-0734)\n\nUSN 818-1 fixed an issue with curl\u2019s handling of SSL certificates with zero bytes in the Common Name. Due to a packaging error, the fix for this issue was not being applied during the build. This issue only affected Ubuntu 8.04 LTS. We apologize for the error. (CVE-2009-2417)\n\nOriginal advisory details:\n\nScott Cantor discovered that curl did not correctly handle SSL certificates with zero bytes in the Common Name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.", "published": "2011-06-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/1158-1/", "cvelist": ["CVE-2009-2417", "CVE-2010-0734", "CVE-2011-2192"], "lastseen": "2018-03-29T18:19:47"}], "gentoo": [{"id": "GLSA-201203-02", "type": "gentoo", "title": "cURL: Multiple vulnerabilities", "description": "### Background\n\ncURL is a command line tool for transferring files with URL syntax, supporting numerous protocols. \n\n### Description\n\nMultiple vulnerabilities have been found in cURL:\n\n * When zlib is enabled, the amount of data sent to an application for automatic decompression is not restricted (CVE-2010-0734). \n * When performing GSSAPI authentication, credential delegation is always used (CVE-2011-2192). \n * When SSL is enabled, cURL improperly disables the OpenSSL workaround to mitigate an information disclosure vulnerability in the SSL and TLS protocols (CVE-2011-3389). \n * libcurl does not properly verify file paths for escape control characters in IMAP, POP3 or SMTP URLs (CVE-2012-0036). \n\n### Impact\n\nA remote attacker could entice a user or automated process to open a specially crafted file or URL using cURL, possibly resulting in the remote execution of arbitrary code, a Denial of Service condition, disclosure of sensitive information, or unwanted actions performed via the IMAP, POP3 or SMTP protocols. Furthermore, remote servers may be able to impersonate clients via GSSAPI requests. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll cURL users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/curl-7.24.0\"", "published": "2012-03-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/201203-02", "cvelist": ["CVE-2011-3389", "CVE-2010-0734", "CVE-2012-0036", "CVE-2011-2192"], "lastseen": "2016-09-06T19:46:50"}], "vmware": [{"id": "VMSA-2010-0015", "type": "vmware", "title": "VMware ESX third party updates for Service Console", "description": "a. Service Console update for NSS_db \n \nThe service console package NSS_db is updated to version nss_db-2.2-35.4.el5_5. \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-0826 to this issue. \nColumn 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. \n\n", "published": "2010-09-30T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.vmware.com/security/advisories/VMSA-2010-0015.html", "cvelist": ["CVE-2009-3767", "CVE-2009-2409", "CVE-2010-0826", "CVE-2009-3245", "CVE-2009-3555", "CVE-2010-0734", "CVE-2010-0433", "CVE-2010-1646"], "lastseen": "2016-09-04T11:19:32"}]}}